Latest news about Bitcoin and all cryptocurrencies. Your daily crypto news habit.
At least two seperate bugs related to Monero have been detected.
This week, at least two seperate bugs related to Monero (XMR) were reported by crypto community members. The first one allegedly lead to a Ledger hardware wallet user losing around 1,680 XMR (nearly $80,000, as of press time) of his funds after making a transaction. The other vulnerability allowed hackers to make fake XMR deposits to cryptocurrency exchanges.
Anonymity above all: What is Monero and how it works
Monero is a cryptocurrency with an additional focus on anonymity. It was launched in April 2014, when Bitcointalk.org user thankful_for_today forked the codebase of Bytecoin into the name BitMonero. To create the new coin, he relied on the ideas that were first outlined in a 2013 white paper dubbed “Cryptonote” written by anonymous personality Nicolas van Saberhagen. Ironically, BitMonero was soon forked itself by open-source developers and named “Monero” (which means “coin” in Esperanto). It has remained to be an open-source project ever since.
Indeed, Monero has considerably more privacy features compared to conventional cryptocurrencies like Bitcoin (BTC): On top of being a decentralized coin, Monero is designed to be fully anonymous and virtually untraceable. Specifically, it is based on the CryptoNight proof-of-work (PoW) hash algorithm, which allows it to use “ring signatures” (which mix the spender's address with a group of others, making it more difficult to trace transactions), “stealth addresses” (which are generated for each transaction and make it impossible to discover the actual destination of a transaction by anyone else other than the sender and the receiver), and “ring confidential transactions” (which hide the transferred amount).
In 2016, XMR experienced more growth in market capitalization and transaction volume than any other cryptocurrency, undergoing almost a 2,800 percent increase, as per CoinMarketCap.
Notably, a lot of that gain could have come from the underground economy. Being an altcoin that is tailor-made for fully private transactions, Monero eventually became accepted as a form of currency on darknet markets like Alphabay and Oasis, according to Wired. Specifically, after being integrated on those trading platforms in the summer of 2016, Monero’s value “immediately increased around sixfold.”
"That uptick among people who really need to be private is interesting," Riccardo “Fluffypony” Spagni, one of the Monero core developers, told Wired in January 2017.
"If it’s good enough for a drug dealer, it’s good enough for everyone else."
Currently, XMR is the 13th-biggest cryptocurrency by market cap, with equivalent of over $800 million, according to CoinMarketCap data.
Monero’s alleged privacy remains to be a controversial topic, as some suggest that the coin is not, in fact, fully anonymous. In an interview with Bloomberg, United States Drug Enforcement Administration (DEA) Special Agent Lilita Infante noted that, although privacy-focused currencies are less liquid and more anonymous than BTC, the DEA “still has ways of tracking” altcoins such as Monero and Zcash. Infante concluded:
“The blockchain actually gives us a lot of tools to be able to identify people. I actually want them to keep using them [cryptocurrencies].”
Moreover, as previously reported by Cointelegraph, Monero has been endorsed as “The Official Currency of the Alt Right” by white supremacists like Christopher Cantwell for its focus on anonymity.
The privacy-focused nature of Monero has also driven compliance-oriented crypto exchanges to turn the coin down. For instance, in June 2018, Japan-based Coincheck delisted XMR and three other anonymity-focused altcoins to follow Counter-Terrorist Financing (CTF) and Anti-Money Laundering (AML) procedures issued by the local financial regulator.
Bug #1: change address bug with Ledger
Status: pending
On March 3, user MoneroDontCheeseMe started a Reddit thread, claiming that he or she believes to “have just lost ~1680 Monero [around $80,000] due to a bug” while using the Monero app with his or her Ledger hardware wallet.
According to the post, the user transferred about 0.000001 XMR from his or her wallet to a view-only wallet, sent another 10, 200 and then 141.9 XMR. Allegedly, before sending the last transaction, MoneroDontCheeseMe had about 1,690 XMR in the wallet and 141.95 XMR in an unlocked balance, which is why he or she decided to send 141.9 XMR. However, after the transaction had been sent, the user’s wallet is reportedly showing a balance of 0 XMR.
Furthermore, according to the Reddit user, the amounts sent and the transactions recorded on the blockchain “don’t line up.” MoneroDontCheeseMe wrote that the 200 XMR transaction actually deducted 1691.001 XMR from the Ledger Wallet, and also that the amounts reported for the 10 XMR transaction are incongruous. Monero core developer nicknamed binaryfate told Cointelegraph over email:
“My understanding is that the Ledger may have sent the ‘change’ amount to an erroneous one-time destination that the user did not control. For more details you should ask the Ledger team directly, they are working on it and already identified and fixed the bug as far as I know, so it should be pushed shortly.”
Initially, in the comments to the post, Nicolas Bacca, chief technical officer at Ledger, said that their app has been extensively tested, suggesting that could be a synchronization issue.
However, several hours later, Ledger developers published a warning on the Monero subreddit, advising users not to use the Nano S Monero app because “it seems there is a bug with the change address.”
“The change seems to not be correctly send. Do not use Ledger Nano S with client 0.14 until more information is provided.”
The official Monero Twitter account has since retweeted Ledger’s tweet containing a link to the warning.
Thus, according to Monero’s binaryfate, the Ledger team has prepared a patch to fix the issue, and is expected to release it in the near future. Cointelegraph reached out to MoneroDontCheeseMe to ask him or her whether this issue is being fixed by Monero or Ledger developers, but he or she appeared hesitant to answer straight away and requested more time.
Cointelegraph has also contacted Ledger developers for further comment, but they have not prepared any statement as of press time.
Bug #2: wallet bug enabling hackers to make fake deposits to crypto exchanges
Status: fixed
On March 3, the official account of the Ryo (RYO) cryptocurrency published a Medium post, highlighting a bug in the XMR wallet software that could allow for sending fake deposits to crypto exchanges.
According to the post, an email reportedly sent to the Monero Announce mailing list warned platforms using the coin that the Monero Vulnerability Response team received a disclosure concerning a vulnerability. The bug was reportedly related to coinbase transactions (the first transaction in a block, created by miners).
“This essentially means that the attacker can make it appear as if he deposited any sum of his choosing to an exchange,” the post read. The mentioned email also contained the patch preventing the vulnerability from being exploitable.
As binaryfate explained to Cointelegraph, first, somebody made a responsible disclosure following the Monero Vulnerability Response Process. Then, an email was sent to the Monero Announce mailing list “warning in advance that both a patch and details of the bug would be released together on the 6th of March.” After that, the Monero developer added that Ryo published details “right away”:
“Due to this article, the details had been made public and delaying would have caused unnecessary risk. Hence a patch was publicly merged on github, and a new version of Monero tagged right away.”
Indeed, a few hours later, the official Monero account tweeted that the fix for the vulnerability had been written and was awaiting review. As per the GitHub page dedicated to the patch, it appears that the code has been already merged with the main branch, which means that the fix is ready and only needs the new release to be published.
Ryo is a code fork of Monero, as per its website. According to the Medium entry, its team fixed the same vulnerability seven months ago.
Disclaimer
The views and opinions expressed in this article are solely those of the authors and do not reflect the views of Bitcoin Insider. Every investment and trading move involves risk - this is especially true for cryptocurrencies given their volatility. We strongly advise our readers to conduct their own research when making a decision.